The Information Commissioner’s Office (ICO) hit Facebook with the fine - the maximum possible – for "serious breaches of data protection law" and for failing to protect its users’ privacy.
READ: FAANG Report: Facebook removes 8.7 million images of nude children; Google bans "F" word in workplace
The ICO said data belonging to 87mln users – some 1mln believed to be from the UK - was improperly accessed by Cambridge Analytica, which has since been shut down. The information was used to help Donald Trump's 2016 presidential election campaign.
Facebook broke the law by failing to safeguard people's data and not being transparent about how that data could be harvested, the ICO said.
The fine is the maximum allowed under the Data Protection Act 1998 but is a drop in the ocean for a company like Facebook which is valued at close to US$600bn.
The scandal took place before new EU data protection laws that allow much larger fines came into force.
If the incident had happened after the EU's new General Data Protection Regulation came into force earlier this year, the social networking firm could have received a maximum fine of £17mln or 4% of its global turnover.
"A company of its size and expertise should have known better and it should have done better,” Elizabeth Denham, the information commissioner, said in a statement.
"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation.”
Facebook said in a statement that it was "reviewing" the decision but acknowledged that it could have done more to investigate claims about Cambridge Analytica.